Authentication continues to get smarter and more convenient as the line between Card Present and Card Not Present transacting blurs

This article, the 12th in my current series of thought pieces, explores how innovations in authentication methods and technologies are helping to blur the line between CP and CNP transaction authentication by splitting of the transaction origination and authentication channels.

The relentless rise in the volume and value of e-commerce transactions is bringing about widespread changes in thinking on how best to authenticate these payments. Going back to the dawn of e-commerce merchants, card issuers and banks alike saw real value in creating additional layers of authentication to enable them to verify that the person using the card details of the customer to complete Card Not Present (CNP) online transactions, was indeed the authorised card holder.

Second Factor Authentication ‘2FA’, was put to work in earnest, particularly from the mid-2000s as smartphones began to be used to browse and buy goods and services. The principle was simple: the more ‘factors’ being used to authenticate the person transacting online, the more likely they were to be who they claim to be. So, as part of increased digital security in our daily lives, multi-factor Strong Customer Authentication (SCA) was mandated by most governments around the world. These ‘factors’ can be classified into:

• Something you know such as a PIN, a password, or the answer to a security question.
• Something you have such as a credit card or a device, such as a smartphone, and/or
• Something you are: a biometric such as a fingerprint, face pattern, voice pattern or gait.

3DS is over 20 years old

2FA began to be superseded by 3D Secure Authentication (3DS) from 2001 when ‘Verified by VISA’ (with in-built 3DS) went live. One of the  big changes which came with 3DS was the shift in liability for losses associated with fraudulent transactions which passed from the merchant to the card issuer or issuing bank if applied in line with card issuer protocols.

It’s no surprise therefore that online merchants today increasingly integrate 3DS into their checkout processes. So, when a customer initiates a payment, the merchant’s website sends a request to the card issuer or bank to authenticate the transaction using 3DS protocols.

The cardholders’ issuing bank may then require additional action from the cardholder to complete authentication. This action is often called ‘challenge flow’. It might involve entering a one-time password (normally sent to their email address or texted to their mobile device); or verification via a push notification to the customer’s banking app.

Once the card holder successfully authenticates his or her transaction, the issuing bank confirms this authentication to the merchant and the payment is processed. Equally, if the authentication fails or the cardholder abandons the cart, the transaction may be declined or flagged for further review.

3DS usage is in rude health: there has been a 33 per cent growth in merchants globally using 3DS in 2023, compared to 2022, according to Datos Insights. Polaris research confirmed that 3DS-generated revenues has seen a 12 per cent global Compound Annual Growth Rate over the last 10 years.

Authentication innovation accelerating

However, payment authentication innovation has not stopped with wider deployment of 3DS. Online merchants are increasingly overlaying machine learning-driven fraud detection algorithms, address verification systems (AVS) and protection against first-party fraud, into authentication processes online. There is no doubt that, as more intelligence is being added into authentication systems, the risk of fraudulent transactions happening online is falling in percentage terms.

The challenge now is to make digital transacting as ‘frictionless’ as possible, while continuing to reduce the risk of fraudulent transactions being allowed through or worse, genuine transactions being blocked. It needs to be easy as well as safe.

These innovations have spilled through to physical store CP transacting. Under EMV 3DS 2.0, merchants now send a mix of data to issuers to authenticate transactions and prevent fraud.

This data can include:

1. Transaction Data: Information about the purchase, such as the amount, currency, and merchant details.
2. Cardholder Data: Details about the card being used, including the primary account number (PAN), cardholder name, and expiration date.
3. Device Information: Data about the device used for the transaction, such as IP address, device ID, and browser type.
4. Authentication Data: Information related to the authentication process, such as one-time passwords (OTP), biometric data, or risk-based authentication results.
5. Additional Data: Other relevant information that can help in the decision-making process, such as shipping address, billing address, and purchase history.

This comprehensive data exchange helps issuers make more accurate decisions - reducing the risk of fraud further and improving the overall security of online transactions. Machine learning is being applied to help crunch these multiple data streams using algorithms to improve fraud detection rates. The result is that consumers are being required to physically slot their bank card into a POS device less and less. Many consumers are leaving their physical wallets at home when they are out and about today. Our personal buying behaviour, location and other data-based insights will increasingly verify that we are the cardholder we say we are.

Authentication innovation shift coming

Many of the aforementioned EMV and PCI standards which relate to acquiring, assume at their core that cardholders are transacting using someone else's device.  That might be an ATM under the control of a bank, or a payment terminal under the control of a merchant.  Transaction origination is simple. The merchant keys in the amount and the card is presented. 

Clever cryptography is used to authenticate the card in the ‘untrusted device’ and, if passed, the customer is sometimes asked to authenticate themselves by entering a PIN.  This is how things have worked for decades across the world and how things continue to work for the most part when shopping in physical stores today.

However, e-commerce payments authentication started to chip away at the underlying assumption that the origination of a transaction is always done on an untrusted device.  Rather, consumers are generally entering their own card details on their own devices.  These Card Not Present transactions were always considered riskier for the banks and in particular merchants but that did little to stem the rise of e-comm transactions.

Innovations such as the Card Verification Value (CVV) and 3DS were rushed in to tackle rising fraud risk by allowing customers to authenticate themselves to their banks (‘issuers’).The industry - now split between CP and CNP transactions - seemed quite settled for the next 20 years or so. 

Significant authentication innovation step change underway

However, that status is changing fast now. The drivers for this change stems from rapid innovations in acceptance devices such as SoftPOS, the prevalence of online rather than offline transactions, and new methods of authentication.  The other big shift is a recognition amongst issuers and merchants that convenience and customer experience is as important (and in many cases more important) than 360 degree security and fraud prevention at all costs. 

Contactless transactions, for example, already do not require any authentication by the cardholder for values under the so called ‘CVM limit’ - balancing the experience of just tapping-and-going with the risk of the transaction.  Amounts above this limit require PIN entry – thereby matching that inconvenience with higher risk.

CDCVM blurs lines between CNP e-comm and in-person CP transaction authentication

Enter the Consumer Device Cardholder Verification Method (CDCVM) - a relative newcomer to the authentication standards world which uses the security of a device such as a smartphone or watch to authenticate payments whether in an app, using a mobile wallet, or when completing a contactless payment. 

This new authentication channel blurs the line between in-person and e-commerce transacting because the same authentication can now be deployed for both.  'Under the hood' the solutions are implemented differently but the experience is increasingly uniform, smooth and natural to most consumers.

Similarly, PIN entry is being used in remote contexts by consumers (with or without tapping their card) to provide increased authentication for CNP transactions, or as part of internet or mobile banking.  Mypinpad already has authentication customers using CDCVM and new use cases, including authenticating keyless entry to hotel rooms and vehicles, are popping up all the time.

CP versus CNP distinction for authentication will disappear

In summary, the CP versus CNP distinction is quickly coming to an end, in my view.  What is more important is whether the transaction’s origination and authentication paths are the same or different. In addition, it’s about the strength of that authentication and whether Step Up Authentication can be integrated to dynamically adjust the level of authentication as the risk associated with a specific transaction is assessed in real-time.  It’s about understanding transaction risk and pricing it accordingly. It will be an interesting time for acquirers and issuers alike to navigate this change. 

As for Mypinpad, we continue to provide payment and authentication solutions, bundled or separated, both for merchant and consumer device-based transacting, all on the same underlying SDK and kernels.